Creating a Privacy Statement for Internet CME Activities

1
Creating a Privacy Statement for Internet CME
Activities

• November 9, 2002
• R. Van Harrison, PhD
• Pierre A. Lavalard, MBA
• Office of Continuing Medical Education
• University of Michigan Medical school

2
Problem Internet and Personal Information

• What is different about the Internet?
• Can track use
• Can link information easily
• Can contact users at little expense
• Can assemble and sell information easily
• Quantitative and qualitative increase in risk to
  privacy and confidentiality

3
Concern Internet and Medical Information

• AMA Guidelines for Medical and Health
  Information
• Pages 7-9 Principles for website privacy
  and confidentiality
• www.ama-assn.org/ama/pub/category/1905.html
  
• Internet Healthcare Coalition eHealth Code of
  Ethics
• Page 6 Principles related to privacy
• www.ihealthcoalition.org/ethics/code0524.pd
  f

4
ACCMEs Requirement for Internet CME

• Policy 2002-A-11
• The accredited provider must have, adhere to, and
  inform the learner about its policy on privacy
  and confidentiality that relates to the CME
  activities it provides on the Internet.
• www.accme.org/whatsnew/sec_new_nw1_227.asp
• ACCME provided no information, education, or
  direction!

5
Privacy Policies are an Implied Contract!

• You define your standards of conduct
  regarding users information.
• Users can know those standards and make an
  informed choice to provide information.
• If you use information differently, users can
  sue!

6
Online Privacy Alliance

• www.privacyalliance.org
• More than 40 global companies and associations
• Trust and protection of individuals' privacy
  online and in electronic commerce.
• Resources
• Guidelines for online privacy policies
• Links to privacy policy generators
• Links to enforcement programs
• Links to U.S. Federal Trade Commission privacy
  information
• And a lot more

7
Highlights Guidelines for Online Privacy Policies

• Notice and Disclosure
• Easy to find, read, understand, and encountered
  prior to information collection
• State what information is being collected and its
  use
• State accountability mechanism and how to contact
  organization
• Choice/Consent
• Opportunity to opt out of uses unrelated to the
  purpose of collection
• Data Security
• Measures to assure security of individually
  identifiable information
• Data Quality and Access
• Mechanisms to that inaccuracies may be corrected

8
Privacy Policy Generators

• An online form asks specific questions, then
  prints statements.
• For example The information we collect is
  (choose all that apply)
• Used for internal review and is then discarded
• Used to improve the content of our Web page
• Used to customize the content and/or layout of
  our page for each individual visitor
• Used to notify visitors about updates to our Web
  site
• Used by us to contact customers for marketing
  purposes
• Shared with other reputable organizations to help
  them contact consumers for marketing purposes
• Not shared with other organizations for
  commercial purposes
• Other ________________
• Great for operational specifics, but result is
  awkward.

9
Our Institutions Policies

• Standard Practice Guide Proper Use of
  Information Resources Information Technology,
  and Networks at the University of Michigan
• Guidelines for Implementing the Proper Use Policy
  of the University of MichiganResponsible Use
  of Technology Resources
• Fairly general, but a few useful specifics, e.g.,
  central location to report abuse.

10
Looked at Other Internet CME Policies

• Short as 3 sentences
• Long as 4 pages
• Commercial CME site had complex uses
• No model that closely fit our needs

11
Created Our Own Policy

• Headings (1 1/3 pages total)
• Introduction
• Information collected and purpose
• Other uses of information
• Change in policy
• Security
• Concerns about following policy
• Contact information

12
Where to Place Privacy Policy?

• Link to policy where it can be seen early
• On main CME page cme.med.umich.edu
• On first page of each Internet CME activity

13
Whew! We are in compliance.

• By Oct. 1, 2002
• Policy statement approved
• Policy statement link on our main CME web
  page
• Policy statement link on each Internet CME
  activity on our site

14
Is that ALL of our Internet CME Activities?

• CME activities hosted outside our institution
  (e.g., communication companies). Now need to
  review
• Do they have privacy statements?
• Do we accept them for our CME activities?
• Other CME sites we host (e.g., proprietary site)
• What special privacy statement is needed?

15
Conclusions Lessons LearnedAbout Privacy
Statements for Internet CME

• Privacy policy statements are legal contracts
• No one size fits all solution
• Internet CME providers need CE on Internet
  privacy
• Then you will be able to
• Develop privacy policy for site(s) you
  directly control
• Review and judge privacy policy on other sites
  hosting your CME activities